Positive Technologies researchers Leigh-Anne Galloway and Tim Yunusov are warning that new lower-cost payment systems could hurt companies because of security flaws that could enable hackers to steal credit card data or change the value of what people are purchasing.
CNET reported the researchers released their findings during the Black Hat security conference being held this week in Las Vegas, saying hackers are targeting cheap card readers, which have gained in popularity because they are easy targets for hackers. The card readers typically attach to a tablet and or smartphone. And with mobile growing as a preferred payment method for scores of consumers, it provides a lucrative target for hackers.
Galloway and Yunusov looked at readers from point-of-sale companies in the U.S. and Europe including Square, PayPal, SumUp and iZettle. They found that physically it was hard to break in, but on the security side of things, there were security holes — including a flaw in three of the readers that would enable a merchant to change what the customer views on the screen. For example, it could show a transaction didn’t go through when it really did, resulting in the consumer paying twice. That could provide a way for an unscrupulous merchant to steal from customers. “It’s possible, if you were a fraudulent merchant, you could change the transaction value to make it a higher value than what’s displayed on the reader,” Galloway told CNET in an interview. “The significance is that this a realistic attack vector because so many transactions are carried out through swipes.”
What’s more, the researchers found the display could be altered to direct customers to pay with a swipe of the magnetic stripe instead of using the chip, which would make customers more at risk to any attacks on swiping a card. As for the Bluetooth that many of the card readers use to connect to the device, the Positive Technologies researchers discovered they weren’t used in a secure manner when pairing the devices. They said Bluetooth should be associated with a password and/or an alert should go to the person that lets them know if their device is connected wirelessly. “You might just never know if someone was an attacker [and] walked into your cafe and connected to your reader,” Galloway said. The researchers noted the security holes haven’t been taken advantage of by hackers yet.
Square told CNET the vulnerabilities were on the Miura M010 Reader, a third-party sales system that connected to Square’s software. “As soon as we became aware of a vulnerability affecting the Miura Reader, we accelerated existing plans to drop support for the M010 Reader, and began transitioning all these Square sellers to a free Square Contactless and Chip Reader,” a Square spokesperson said. The companies affected by the security flaws were notified in April, noted the researchers.